Skip to content

chore(apigateway): add TLS 1.3 security policies for domain names #36303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pahud wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(apigateway): add TLS 1.3 security policies for domain names #36303

pahud wants to merge 1 commit into from
+82 −3

Conversation

@pahud
Copy link
Contributor

@pahud pahud commented Dec 5, 2025

Issue # (if applicable)

Closes #36280.

Reason for this change

AWS now recommends using enhanced TLS 1.3 security policies for API Gateway custom domain names, but the CDK SecurityPolicy enum only includes legacy TLS_1_0 and TLS_1_2 options. Users cannot specify AWS-recommended security policies like SecurityPolicy_TLS13_1_3_2025_09 because the enum is restrictive.

Description of changes

Expanded the SecurityPolicy enum in @aws-cdk/aws-apigateway to include four TLS 1.3 security policy options:

  • TLS13_1_3_2025_09 - Pure TLS 1.3 (AWS recommended)
  • TLS13_1_2_PQ_2025_09 - TLS 1.3 + 1.2 with post-quantum cryptography
  • TLS13_2025_EDGE - TLS 1.3 for edge-optimized endpoints
  • TLS13_1_3_FIPS_2025_09 - FIPS-compliant TLS 1.3

Updated validation logic to allow TLS 1.2+ security policies for multi-level base path mappings (previously only allowed the legacy TLS_1_2 enum value).

Added documentation examples showing how to use TLS 1.3 security policies for both regional and edge-optimized APIs.

Breaking Changes: None - this is a purely additive change. All existing code continues to work unchanged.

Describe any new or updated permissions being added

N/A - No IAM permissions or resource access changes.

Description of how you validated changes

  • Unit tests: Added 2 new test cases:
    • accepts TLS 1.3 security policies - verifies CloudFormation template generation
    • allows TLS 1.3 for multi-level base paths - verifies validation logic accepts TLS 1.3
  • Updated 1 existing test to match the improved error message
  • All 662 aws-apigateway unit tests passing
  • TypeScript compilation verified
  • Linting passed with no violations
  • JSII compatibility verified

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@pahud
feat(apigateway): add TLS 1.3 security policies for domain names
b1156a8 
- Add four new TLS 1.3 security policy options to SecurityPolicy enum:
* TLS13_1_3_2025_09 for regional/private APIs
* TLS13_1_2_PQ_2025_09 with post-quantum cryptography support
* TLS13_2025_EDGE for edge-optimized endpoints
* TLS13_1_3_FIPS_2025_09 for FIPS compliance
- Update multi-level base path validation to accept TLS 1.2 or higher instead of only TLS 1.2
- Add comprehensive documentation examples showing TLS 1.3 usage for both regional and edge-optimized APIs
- Add test cases to verify TLS 1.3 policies are accepted and work with multi-level base paths
- Update error message to reflect that TLS 1.2 or higher is required for multi-level base paths
@aws-cdk-automation aws-cdk-automation requested a review from a team December 5, 2025 01:47
@github-actions github-actions bot added effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 labels Dec 5, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Dec 5, 2025
@pahud pahud marked this pull request as ready for review December 5, 2025 03:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

apigateway: More DomainName security policy options for TLS 1.3

1 participant

@pahud